since v19.0EAP2 TLS/SSL decrypt IMAPS POPS

Certifikate issue also makes problems recrypt https traffic, trying to regenerate the SecurityAppliance doesnt work.
Problem still exist. I dont know what this "Untrusted" certifikate came from.
I now switch Re-sign with "Default" certifikate.
Now its working fine.

Path to v19:

Running 18.5MR2 -> create backup -> create fresh v19 EAP2 HyperV from installer -> @ frist setup, import backup

Changed CAs

Changed mail to legacy mode

changed mail firewall rule to use web proxy (should not have had any affect)

rebooted XG to see if that would change the mail scanning CAs and appears to have worked.

So, which of the above items was the cause of failure and required a reboot to become operational?

Ian

SMPT/s scanning still fails the CA as being untrusted. Might need to re-install mail on the ipad, that has worked in the past, otherwise disable Smtps scanning again.

Not just the iPad, aldo mac mail on th emac mini, the CA as not valid because the name is wrong, the CA is issued for many of the mail providers sites and th email name is not the sam was the email server's.

Ian

Die you try to change the certificate for SMTP?

Do you get the same crazy "untrusted" certificate?

I am not using SMTP mail proxy @ my XG.

Yes, I changed the smtp ca and yes I get the untrusted ca.

I disabled smtp scanning again.

ian

Is it related to your change of IPS: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/f/recommended-reads/132522/eap2-please-try-this-ips-scanning-enhancement ? 

my first post was with port ano OFF
but now tested again
ips scan_decrypted_port_agnostic ON or OFF doesnt matter
SSL/TLS scans IMAP POP3 and SMTP
but after set it again off and on, I don't geht the untrust cert again.
I am now using the SecureAppliance_CA again.

Because SMTP is scanned to, I putt all SMTP Ports to my "don't decrypt" rule

I am a bit unsure but in my mind it makes sense that this traffic is scanned from TLS/SSL to. Just that it now happens should be a point of interest.

ATM I disable my don't decrypt (POP3,IMAP,SMTP) to see what happend.
The problem with that untrusted cert is one big thing that should be cleared. 

Hi lucar,

no, this has been an issue with smtps since I installed v18.5.1 on my old Xeon based machine. The xg115w is a fresh install and configuration so there is no hangover from the old xeon configuration.

Ian

Hi,

I have created an SSL/TLS rule to scan emails again. Now the profile shows two CAs that failed security, where do I find the CAs to confirm which ones they are, though I suspect I know. The same CAs are trusted by the firewall rule using imaps scanning, so what is wrong with the SSL/TLS scanning?

And please don't try to tell me Sophos SSL/TLS CA scanning is more rigorous then many other companies that use the same ISP mail servers.

Ian

Hi,

I have created an SSL/TLS rule to scan emails again. Now the profile shows two CAs that failed security, where do I find the CAs to confirm which ones they are, though I suspect I know. The same CAs are trusted by the firewall rule using imaps scanning, so what is wrong with the SSL/TLS scanning?

And please don't try to tell me Sophos SSL/TLS CA scanning is more rigorous then many other companies that use the same ISP mail servers.

Ian

SSL/TLS is acknowledged as not supporting email scanning.

Ian